From a3ebabef3669b293641b29b8cb1777f48ad60f5c Mon Sep 17 00:00:00 2001 From: Tommy Pauly Date: Mon, 29 Jan 2024 08:32:34 -0800 Subject: [PATCH] Add property for security protocol/version --- draft-ietf-taps-interface.md | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/draft-ietf-taps-interface.md b/draft-ietf-taps-interface.md index d0bb70c7..b1308f58 100644 --- a/draft-ietf-taps-interface.md +++ b/draft-ietf-taps-interface.md @@ -1595,7 +1595,9 @@ configuration and actively during a handshake. The set of security parameters defined here is not exhaustive, but illustrative. Implementations SHOULD expose an equivalent to the parameters listed below to allow for sufficient configuration of security parameters, but the details are expected -to vary based on platform and implementation constraints. +to vary based on platform and implementation constraints. Applications MUST be able +to constrain the security protocols and versions that the Transport Services System +will use. Representation of security parameters in implementations ought to parallel that chosen for Transport Property names as suggested in {{scope-of-interface-defn}}. @@ -1615,6 +1617,23 @@ SecurityParameters := NewDisabledSecurityParameters() SecurityParameters := NewOpportunisticSecurityParameters() ~~~ +### Allowed security protocols + +Name: +: allowedSecurityProtocols (alternatively, minimumSecurityProtocolVersion and maximumSecurityProtocolVersion) + +Type: +: Implementation-specific enumeration of security protocol names and/or versions. + +Default: +: Implementation-specific best available security protocols + +This property allows applications to restrict which security protocols and security protocol versions can be used in the protocol stack. Applications MUST be able to constrain the security protocols used by this or an equivalent mechanism, in order to prevent the use of security protocols with unknown or weak security properties. + +~~~ +SecurityParameters.Set(allowedSecurityProtocols, [ tls_1_2, tls_1_3 ]) +~~~ + ### Certificate bundles Names: